How to Harden Windows Server 2025 with CIS Benchmark
Hardening a Windows Server 2025 system against modern threats requires more than just installing patches — it demands a structured, baseline-driven approach. The Center for Internet Security (CIS) Benchmark for Windows Server 2025 is one of the most widely accepted security configuration guides in the industry. It defines hundreds of specific settings across account policies, audit policies, user rights, network security, and more, organized into two tiers: Level 1 (broadly applicable, minimal performance impact) and Level 2 (defense-in-depth settings for high-security environments). This tutorial walks you through downloading the benchmark, understanding its key hardening areas, and applying the configuration using PowerShell and Group Policy Objects (GPOs) on Windows Server 2025.
Prerequisites
- Windows Server 2025 (Standard or Datacenter), fully patched
- Domain Administrator or local Administrator account
- PowerShell 7.x or Windows PowerShell 5.1 with elevated privileges
- Group Policy Management Console (GPMC) installed
- CIS Benchmark PDF and/or CIS-CAT Pro Assessor (requires CIS SecureSuite membership) or the free CIS Hardening Scripts from the CIS GitHub
- A test environment — apply and validate before pushing to production
Step 1: Download the CIS Benchmark and Assessment Tools
Start by obtaining the official CIS Benchmark document for Windows Server 2025. CIS publishes benchmarks freely for non-commercial use at https://www.cisecurity.org/cis-benchmarks/. For automated assessment, CIS-CAT Pro Assessor (available with a CIS SecureSuite membership) can scan a system and produce a detailed compliance report. Alternatively, the open-source CIS Hardening Scripts on GitHub provide PowerShell-based implementations of many benchmark recommendations.
# Clone the CIS hardening scripts from GitHub (community-maintained)
git clone https://github.com/cis-windows/cis-windows-server-2025-hardening.git
cd cis-windows-server-2025-hardening
# Inspect available scripts
Get-ChildItem -Path . -Filter "*.ps1" | Select-Object Name, Length, LastWriteTimeIf using CIS-CAT Pro, run the assessor against your target system before making any changes to establish a baseline score:
# Run CIS-CAT Pro from the assessor directory (requires Java 11+)
.Assessor-CLI.exe -b benchmarksCIS_MS_Windows_Server_2025_Benchmark_v1.0.0-xccdf.xml `
-p "Level 1 - Member Server" `
-rd C:CISReports `
-rp "WS2025-PreHarden"Step 2: Configure Account Policies
Account policies govern password complexity, length, age, and lockout behavior. CIS Level 1 for Windows Server 2025 mandates a minimum password length of 14 characters and an account lockout threshold of 5 invalid attempts. These settings can be applied directly via the Local Security Policy or through a GPO linked to an OU.
# Apply password policy via net accounts (local system)
net accounts /minpwlen:14 /maxpwage:60 /minpwage:1 /uniquepw:24
# Apply account lockout policy
net accounts /lockoutthreshold:5 /lockoutduration:15 /lockoutwindow:15
# Verify applied settings
net accountsFor domain-wide enforcement via PowerShell and Active Directory:
Import-Module ActiveDirectory
# Set Fine-Grained Password Policy (applies to a group)
New-ADFineGrainedPasswordPolicy `
-Name "CIS-L1-PasswordPolicy" `
-Precedence 10 `
-MinPasswordLength 14 `
-PasswordHistoryCount 24 `
-MaxPasswordAge "60.00:00:00" `
-MinPasswordAge "1.00:00:00" `
-LockoutThreshold 5 `
-LockoutDuration "00:15:00" `
-LockoutObservationWindow "00:15:00" `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false
# Apply to a security group
Add-ADFineGrainedPasswordPolicySubject `
-Identity "CIS-L1-PasswordPolicy" `
-Subjects "Domain Admins"Step 3: Configure Audit Policies
CIS benchmarks require enabling both success and failure auditing for critical event categories. Windows Server 2025 uses the Advanced Audit Policy Configuration framework, giving you granular control over 53 subcategories. Use auditpol.exe to apply the required settings:
# Enable Logon/Logoff auditing (success and failure)
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
# Enable Account Logon auditing
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
# Enable Object Access auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
# Enable Policy Change auditing
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
# Enable Privilege Use auditing
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
# Enable Process Creation (for 4688 events)
auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable
# Verify
auditpol /get /category:*Step 4: Configure User Rights Assignment
One of the most impactful CIS recommendations is restricting which accounts can log on over the network or access the system locally. The built-in Administrator account should be denied network logon to prevent pass-the-hash lateral movement. Use secedit or a GPO to enforce these rights:
# Export current security settings
secedit /export /cfg C:Tempcurrent_secedit.inf /quiet
# Create a custom INF file to deny network logon for built-in Administrator
$infContent = @"
[Unicode]
Unicode=yes
[Privilege Rights]
SeDenyNetworkLogonRight = *S-1-5-114,*S-1-5-32-546
SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-11
SeDenyRemoteInteractiveLogonRight = *S-1-5-114
"@
$infContent | Out-File -FilePath "C:Tempcis_userrights.inf" -Encoding Unicode
# Apply the configuration
secedit /configure /db C:Tempcis.sdb /cfg C:Tempcis_userrights.inf /quiet
# Verify specific right
(whoami /priv) | Where-Object { $_ -match "SeNetwork" }Step 5: Configure Security Options
Security Options cover a broad range of OS-level settings. Two critical CIS requirements are: setting LAN Manager authentication level to NTLMv2 only (refuse LM and NTLM) and ensuring LM hashes are never stored. Both can be set via the registry:
# Set LAN Manager authentication level to NTLMv2 only (value 5)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
-Name "LmCompatibilityLevel" -Value 5 -Type DWord
# Do not store LAN Manager hash on next password change
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
-Name "NoLMHash" -Value 1 -Type DWord
# Restrict NTLM: Audit and block incoming NTLM traffic
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaMSV1_0" `
-Name "RestrictReceivingNTLMTraffic" -Value 2 -Type DWord
# Enable SMB signing (required by CIS)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" `
-Name "RequireSecuritySignature" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanWorkstationParameters" `
-Name "RequireSecuritySignature" -Value 1 -Type DWord
Write-Host "Security options applied. Verify with: Get-ItemProperty HKLM:SYSTEMCurrentControlSetControlLsa"Step 6: Disable SMBv1
SMBv1 is an ancient protocol with known critical vulnerabilities (including EternalBlue, exploited by WannaCry and NotPetya). Windows Server 2025 disables SMBv1 by default, but you should verify and enforce this explicitly:
# Verify SMBv1 status
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Disable SMBv1 feature (if somehow enabled)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Also disable via registry and SMB server settings
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" `
-Name "SMB1" -Value 0 -Type DWord
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Audit SMB connections for legacy clients
Set-SmbServerConfiguration -AuditSmb1Access $true -Force
# Verify
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, EnableSMB2Protocol, AuditSmb1AccessStep 7: Enable Windows Firewall on All Profiles
CIS requires Windows Defender Firewall to be enabled on all three profiles: Domain, Private, and Public. Default-deny inbound with explicit allow rules should be the policy:
# Enable firewall on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
# Set default inbound to block, outbound to allow
Set-NetFirewallProfile -Profile Domain,Private,Public `
-DefaultInboundAction Block `
-DefaultOutboundAction Allow `
-NotifyOnListen True
# Enable logging for dropped packets (CIS recommendation)
Set-NetFirewallProfile -Profile Domain -LogBlocked True `
-LogFileName "%SystemRoot%System32LogFilesFirewallpfirewall.log" `
-LogMaxSizeKilobytes 16384
Set-NetFirewallProfile -Profile Private,Public -LogBlocked True `
-LogFileName "%SystemRoot%System32LogFilesFirewallpfirewall.log" `
-LogMaxSizeKilobytes 16384
# Verify all profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction, LogBlockedStep 8: Apply Settings via Group Policy
For enterprise environments, GPOs are the preferred delivery mechanism. You can import the CIS baseline directly using the Microsoft LGPO.exe tool (part of the Security Compliance Toolkit) or manually configure settings in the Group Policy Management Console. To apply a GPO backup containing CIS settings:
# Import LGPO.exe (from Security Compliance Toolkit)
# Apply a GPO backup folder to local policy
.LGPO.exe /g "C:CISBaselineGPO{GUID-of-CIS-GPO}"
# Alternatively, create and link a new GPO via PowerShell
Import-Module GroupPolicy
$gpo = New-GPO -Name "CIS-WS2025-L1-Hardening" -Comment "CIS Benchmark Level 1"
$gpo | New-GPLink -Target "OU=Servers,DC=contoso,DC=com" -LinkEnabled Yes
# Force immediate policy refresh on target systems
Invoke-GPUpdate -Computer "WS2025-SRV01" -Force -RandomDelayInMinutes 0Conclusion
Implementing the CIS Benchmark for Windows Server 2025 is a multi-faceted process, but the payoff — a measurably more secure configuration backed by industry consensus — is well worth the effort. By methodically applying account policies, audit settings, user rights assignments, security options, and firewall rules, you significantly reduce the attack surface of your server estate. Remember to re-run CIS-CAT Pro after hardening to measure your compliance score, document any deviations as risk-accepted exceptions, and schedule quarterly reviews as new benchmark revisions are released. Hardening is not a one-time task but an ongoing discipline.
